← ALL POSTS
CYBERSECURITY EXPLAINER

NIST CSF: a map, not a mandate

At some point in every security conversation, somebody drops the phrase "NIST framework," and the room quietly splits into people who nod and people who make a note to google it later. If you're in the second group: NIST is the National Institute of Standards and Technology, a US federal agency, and its Cybersecurity Framework (the CSF) is a free document that organizes security work into plain categories. It was written so that organizations of any size could talk about security in the same terms. For a small business, it's genuinely useful, as long as you treat it as what it is: a map, not a mandate.

Nobody is going to audit you against it

Let's clear this up first, because it's the most common misunderstanding. The CSF is voluntary. There is no CSF certification, no CSF auditor, no CSF fine. (Some government contracts require specific NIST standards like 800-171, which is a different, binding animal. If you have defense contracts, that's its own conversation.) The CSF's job is to give you a complete picture of what security work exists, so you can see which parts you're doing and which parts you've never thought about. That's the whole trick: most small businesses don't fail at security because they did things badly. They fail because entire categories never occurred to anyone.

The six functions, translated

The framework organizes everything under six functions. Version 2.0, released in 2024, added the sixth (Govern) and, notably, was rewritten to apply to small organizations, not just critical infrastructure. Here's each one as a question a business owner can actually answer:

Using it to find gaps without drowning

The full CSF breaks those functions into dozens of categories and subcategories, and this is where small businesses drown if they try to be thorough. Don't be thorough. Do this instead:

  1. Score yourself at the function level. Six functions, rated honestly from 0 to 3. Takes an hour with whoever knows your IT. Most small businesses land around a 2 on Protect and a 0 or 1 on Detect, Respond, and Govern. That lopsided shape is normal, and seeing it is the entire value of the exercise.
  2. Pick the worst function, not more Protect. The instinct is always to buy another protection tool. The map usually says your next dollar belongs in Detect or Respond, where you're at zero. Going from 0 to 1 in a weak function beats going from 2 to 2.5 in a strong one every time.
  3. Fix three things a quarter. Write down the three gaps you'll close this quarter, close them, rescore next quarter. That cadence is sustainable forever. A 40-page gap assessment that names everything and gets nothing done is worse than no assessment, and we've inherited plenty of those.

Side benefit: cyber insurance applications and customer security questionnaires ask questions that fall neatly into these same six buckets. Once you've done the self-score, those forms stop being scary, because you already know your answers and your gaps.

How to know you're using it right

You can name your weakest function without looking it up. Your last quarter's three fixes are done, and this quarter's three are named. Spending follows the gaps instead of following whichever vendor called last. And when someone asks "are we secure?", the answer isn't yes or no, it's "here's our map, here's where we're strong, here's what we're fixing next." That answer is what the framework is for. We run this exact exercise with clients as a first engagement, and the hour of honest scoring routinely reshapes the whole IT budget that follows it.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
The first 24 hours after a breach: what to do, in order Explainer
Phishing training that people don’t hate Explainer
Dark web monitoring: useful signal or scare tactic? Explainer
Do you still need a VPN? Explainer
HIPAA IT compliance: the checklist without the lawyer bill Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston